CVE-2022-20737: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A vulnerability (CVE-2022-20737) was discovered in the HTTP authentication handler for resources accessed through the Clientless SSL VPN portal of Cisco Adaptive Security Appliance (ASA) Software. The vulnerability was first published on April 27, 2022, and affects Cisco ASA Software with Clientless SSL VPN configured. The issue stems from insufficient bounds checking when parsing specific HTTP authentication messages (Cisco Advisory).

The vulnerability is classified as a Heap-based Buffer Overflow (CWE-122) and Out-of-bounds Write (CWE-787). It received a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H. The vulnerability requires an authenticated, remote attacker who controls a web server that can be accessed through the Clientless SSL VPN portal (Cisco Advisory).

A successful exploitation of this vulnerability could allow an attacker to cause a denial of service (DoS) condition by forcing the device to reload or to obtain portions of process memory that may contain sensitive information from the affected device (Cisco Advisory).

Cisco has released software updates that address this vulnerability. There are no workarounds available. Fixed releases include ASA versions 9.8.4.44, 9.12.4.38, 9.14.4, 9.15.1.21, 9.16.2.14, and 9.17.1.7. Users of ASA Software releases 9.7 and earlier, as well as releases 9.9, 9.10, and 9.13, which have reached end of software maintenance, are advised to migrate to a supported release (Cisco Advisory).